Taking Steps Toward DFARS Compliance: Encryption of Data at Rest

Continuing the topic of my recent blog posts, Government Contractors who store or transmit Covered Defense Information (CDI) are required to comply with the 14 control families of the NIST SP 800-171 by December 2017. The DFARS 252.204-7008 clause dictates the security requirements specified by DFARS 252.204-7012 for Safeguarding Covered Defense Information and Cyber Incident Reporting. The intention of the directive is to ensure the safeguards implemented to protect CDI are consistent across nonfederal information systems as they relate to work contracted by the US government.

While the regulation is not intended to impose burden by requiring additional systems or incurring additional expenses to acquire government contracts, many contractors will not find this to be the case. Although the 800-171 is derived from FIPS 200 and NIST 800-53; the new control set is intended to remove the overhead of the controls specifically geared toward federal agencies. It was expected that most contractors would only need to implement and update policies to comply. This may be valid for contractors who have a mature security baseline in place that contains components of the recommendations included in FIPS 200 or NIST 800-53, it may not be true for all. Unfortunately, for those that do not this regulation may prove to be a challenging and expensive endeavor.

The requirement that I will be focusing on for this post is the need for safeguarding the confidentiality of data at rest. The NIST 800-171 requires contractors to protect the confidentiality of data at rest by employing FIPS-validated cryptography and manage the cryptographic keys that are used for the chosen cryptography employed in the information system. In general terms, this control requires contractors who have systems which process or store CUI safeguard that data effectively with an encryption solution.

What is data at rest?

Data at rest means data that is not moving through networks. Therefore, this generally refers to data stored in persistent storage such as hard drives on servers, workstations, and laptops. Additionally, media such as tapes, CD’s, USB thumb drives and even smartphones can contain data at rest.

What is encryption?

Encryption is the process when data is converted from its original form (plaintext) into an unrecognizable, or encoded text (cyphertext). After being encrypted, the data is unreadable unless an individual has the necessary key or code to decrypt it back to its plaintext form.

Why full disk encryption?

Full disk encryption (FDE) is a security safeguard that protects all data stored on a hard drive from unauthorized access using encryption. With FDE all data is encrypted by default, taking the security decision out of the hands of the user.

Why is it important?

Theft continues to be one of the major causes of data breaches. Common use cases for implementing FDE are to protect data loss due to lost or stolen laptops, smart phones, hard drives or removable media. If a laptop or smartphone falls into the wrong hands, that individual could potentially cause major damage if he or she had access to the CUI contained on that device. However, if the unauthorized user was unable to read the information on the device; then a data breach related to the loss could potentially be avoided.

There are many different encryption methods available. Keeping this in mind, it is important for defense contractors to review their systems to determine what is the best encryption solution to use. Many operating systems include built in mechanisms for encryption, such as Microsoft’s Bitlocker, and Macintosh’s File Vault. While these options may work well, they are often difficult to manage in a corporate or enterprise environment. In these instances, it is often best to look to a third-party software solution to ensure you are getting the manageability and features you need.

Consider the following when sourcing a system and planning your deployment:

Find a solution that is easy to implement and manage to limit the burden on your IT support staff. Systems that utilize centralized administration with automated deployment capabilities can streamline installation and day to day management.

Attempt to find a solution that is compatible with all the client operating systems in your environment. Having only one solution to manage is a major benefit.

Carefully plan, test, and pilot the intended solution on a test group of machines and users in your environment before rolling out a FDE solution to the full organization.

Train your IT staff on the procedures for user management, system recovery in case of failure, and the possible issues related to the encryption process and how to manage them.

Verify users are restricted from disabling the encryption on their systems, or attempt to find ways to verify the full disk encryption has not been disabled.

Do not allow recovery keys to be stored with the client machines and confirm you have a system in place for key management.

Ensure staff have a general understanding of the solution being deployed to their systems and the need for why it is important. Staff support and acceptance can be beneficial especially if any issues are encountered during or after the deployment.

While the thought of implementing a solution of this magnitude might be a daunting thought for many IT teams; if managed correctly with proper foresight, it can prove to be a smooth and effective implementation.

Does your organization need assistance choosing and implementing the right solutions to become compliant before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with leading solutions and provide you with the guidance you need. We have a specialized team of Cybersecurity Professionals with proven industry experience to guide and assist your business in achieving compliance.